Show:
How to Avoid Violating HIPAA Rules When Using Social Media
Social media is so prevalent that people don’t think about what they post anymore. Millions of social media users look at the platforms as a way to communicate, express themselves, and get information.
While it’s fun to use, social media has also increased the risk of data breaches. People who work in the healthcare industry might also find themselves sharing more than they should on Twitter or Instagram. They could find themselves inadvertently violating the Healthcare Insurance Portability and Accountability Act (HIPAA) Security Rule.
Posting on social media can cause problems for the healthcare industry. Social media wasn’t the massive machine it is now when HIPAA became law in 1996. No specific HIPAA policies were made for social media at the time.
Times are different now but the policies on HIPAA violations policies don’t care whether Protected Health Information (PHI) was shared online or offline. Disclosing any of the 18 types of patient data will result in penalties.
HIPAA and Social Media’s Love-Hate Relationship
The healthcare industry can enjoy tremendous benefits from using social media. Healthcare organizations can encourage patients to become more proactive with their health. Social media can make interactions with patients more dynamic and they can easily share information about their services.
Healthcare providers and health-based businesses can also find new patients and leads on social media. But there’s also the potential for HIPAA privacy rules to be violated and PHI exposed.
Healthcare organizations must find the right balance on how to work with social media. Every hospital, pharmacy, Covered Entity, and Business Associate must develop a social media policy to reduce the risk of HIPAA violations. It’s also vital that health and wellness personnel receive proper training so they’ll know how to navigate social media and remain HIPAA compliant.
Common HIPAA Violations on Social Media
Updates on the HIPAA Privacy Rule expressly prohibit the use of PHI on social media platforms. It refers to texts, images, and videos about patients that could lead to other people identifying them.
The basic rule of “no posting of PHI” is easy to understand, yet thousands still make the mistake of sharing sensitive patient details. Here are the four top HIPAA compliance violations on social media.
· Posting Information About Patients
A nurse working for the Texas Children’s Hospital posted details of a patient’s condition on her Facebook group page. The nurse shared how the patient was too young to be vaccinated against measles and that he contracted the disease. The employee didn’t mention the young patient’s name, but the nurse shared where she worked.
Several screenshots of her post were sent to the hospital. There was an investigation. The nurse was found guilty of posting PHI and fired from her job.
The fact that there was no mention of the patient’s name or address doesn’t matter when it’s about HIPAA violations. People can still discover who the patient is based on other information inadvertently shared.
· Thinking Posts are Private or Deleted but they’re not
An employee who posted and shared PHI on Facebook but then deleted the post is still liable. In the previous example, the nurse deleted some of the comments she made on her Facebook group. But some people already took a screenshot. Plus, nothing can truly be erased once you post it online. Employees can still be called out for deleted posts or private messages.
· Sharing Photos, Documents, and PHI Without Written Consent
This violation happens more often than you think. Many people working in hospitals, clinics, and other medical establishments don’t seem to have a clear grasp of consent, especially where PHI is involved.
A recent case saw a group of surgeons taking photos of patients and uploading them without securing their consent. The photos showed body parts removed from patients. Some even showed patients on the operating table. Sharing images that show a patient’s face, name, or other details is a gross violation of HIPAA rules.
The resident surgeons violated the safety regulations of the HIPAA. The Office of Civil Rights (OCR), the enforcement arm of the HHS, can penalize the surgeons for thousands of dollars. They could also be suspended or terminated.
How to Avoid Social Media Faux Pas
There’s a lot that healthcare organizations can do to ensure HIPAA compliance with regard to social media.
The first step is to develop clear policies and procedures on social media use. The company should also make sure all employees understand it. Training on acceptable social media activities should be part of HIPAA training. There should also be refresher courses every year.
Employees can understand the policies better if there are examples. Explaining the possible penalties for social media HIPAA violations is also necessary.